Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules. For each Tier-0 Gateway and for each rule, click the gear icon and verify the logging setting. If logging is not enabled, this is a finding.
From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules. For each Tier-0 Gateway and for each rule with logging disabled, click the gear icon, enable logging, and then click "Apply". After all changes are made, click "Publish".
If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable. From the NSX Manager web interface, go to Security >> Settings >> General Settings >> Firewall >> Flood Protection to view Flood Protection profiles. If there are no Flood Protection profiles of type "Gateway", this is a finding. For each gateway flood protection profile, if TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are set to "None", this is a finding. For each gateway flood protection profile, examine the "Applied To" field to view the Tier-0 Gateways to which it is applied. If a gateway flood protection profile is not applied to all applicable Tier-0 Gateways through one or more policies, this is a finding.
To create a new Flood Protection profile, do the following: From the NSX Manager web interface, go to Security >> Settings >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Edge Gateway Profile. Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit. Configure the "Applied To" field to contain Tier-0 Gateways, and then click "Save".
From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules. Choose each Tier-0 Gateway in drop-down, then select Policy_Default_Infra Section >> Action. If the default_rule is set to "Allow", this is a finding.
From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules. Choose each Tier-0 Gateway in drop-down, then select Policy_Default_Infra Section >> Action. Change the Action to "Drop" or "Reject", and then click "Publish".
From an NSX Edge Node shell hosting the Tier-0 Gateway, run the following command: > get logging-servers Note: This check must be run from each NSX Edge Node hosting a Tier-0 Gateway, as they are configured individually. or If Node Profiles are used, from the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and verify the syslog servers listed. If any configured logging servers are configured with a protocol of "udp", this is a finding. If any logging servers are not configured with a level of "info", this is a finding. If no logging servers are configured, this is a finding.
To configure a profile to apply syslog servers to all NSX Edge Nodes, do the following: From the NSX Manager web interface, go to System >> Configuration >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then under "Syslog Servers" click "Add". Enter the syslog server details and choose "Information" for the log level and click "Add". or (Optional) From an NSX Edge Node shell, run the following command to clear any existing incorrect logging servers: > clear logging-servers From an NSX Edge Node shell, run the following command to configure a TCP syslog server: > set logging-server <server-ip or server-name> proto tcp level info From an NSX Edge Node shell, run the following command to configure a primary and backup TLS syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX Edge Node shell, run the following command to configure a LI-TLS syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX Edge Node appliance. Note: Configure the syslog or SNMP server to send an alert if the events server is unable to receive events from the NSX-T and also if denial of service (DoS) incidents are detected. This is true if the events server is STIG compliant.